[webkit-changes] [WebKit/WebKit] 051d30: Crash in WebCore::RenderFragmentedFlow::objectShou...

[Alan Baradlay]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 051d303f45e1be8f20b51b959132a8070aabdeda
      https://github.com/WebKit/WebKit/commit/051d303f45e1be8f20b51b959132a8070aabdeda
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2025-01-24 (Fri, 24 Jan 2025)

  Changed paths:
    A LayoutTests/fast/multicol/multi-col-inside-skipped-content-crash-expected.txt
    A LayoutTests/fast/multicol/multi-col-inside-skipped-content-crash.html
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderFragmentedFlow.cpp

  Log Message:
  -----------
  Crash in WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment
https://bugs.webkit.org/show_bug.cgi?id=286019
<rdar://problem/142992656>

Reviewed by Antti Koivisto.

This patch ensures that RenderFragmentedFlow does not crash when its state is stale due to
being inside a skipped subtree.

m_fragmentsInvalidated gets cleared at layout but skipped content subtree does
not necessarily run layout (unless forced).

Test case credit goes to Claudio Saavedra (csaavedra at igalia.com).

* LayoutTests/fast/multicol/multi-col-inside-skipped-content-crash-expected.txt: Added.
* LayoutTests/fast/multicol/multi-col-inside-skipped-content-crash.html: Added.
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::positionForPoint):
* Source/WebCore/rendering/RenderFragmentedFlow.cpp:
(WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment const):
(WebCore::RenderFragmentedFlow::collectLayerFragments):

Canonical link: https://commits.webkit.org/289341@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications